On 9/7/08 8:49 AM, Adrian Chadd wrote:
> On Sun, Sep 07, 2008, David Newman wrote:
>
>> 1. Set IP options. A pair of Cat 6509Es using VSS can forward packets
>> without options at up to 770 mpps, but when packets have options the
>> maximum is more like 20 kpps. And that's a "high-speed" example; the
>> options forwarding rate is more like 0 pps with some other devices.
>> Silicon that forwards packets very fast is only good when header lengths
>> are fixed.
>
> So what you're saying is "send the right crafted packets and DoS the internet",
> right?
My experience *in lab testing* is that most and perhaps all switches do
slow-path processing of v4 and v6 packets with IP options set, and that
slow-path forwarding rates are a tiny fraction of fast-path forwarding
rates. Christian Huitema made a similar observation in one of his
textbooks 10 or more years ago; tests as recently as this year suggest
this is still the case.
I'm not making any assertions about DoS attacks on production networks.
Rate controls and other mechanisms can help mitigate the effects of
flooding attacks, but that's a different topic.
> (I think I know which options may make routers go all software-path on the
> packets but I haven't given it a run on a Cat6500. Hm, I wonder if this here
> 3750 in the lab will do..)
The record route option will cause rather precipitous drops in
forwarding rates on both boxes (and many others). I have not tried other
option types, but other testers have told me these too will be slow-pathed.
Again, from the ASIC/NP/FPGA's standpoint: Fixed-length, good.
Variable-length, not so much...
dn